Sidecar configuration for mTLS for accessing external service

serrien · January 7, 2022, 5:37pm

Hello,

I access to an external service with mTLS via an egress gateway as describe in this documentation https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-mutual-tls-origination-with-an-egress-gateway

Nevertheless, I try to configure my pod to access directly the external service with mTLS in order to call directly in https without made http first.

My conf is like this:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: testser.cbp-dev.com
spec:
  hosts:
  - <external.service.host>
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: tls-port
    protocol: TLS
  resolution: DNS
  location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: <external.service.host>
spec:
  host: <external.service.host>
  trafficPolicy:
    tls:
      mode: MUTUAL
      credentialName: <secretNameWithCredential>
      sni: <external.service.host>

Unfortunatly, it doesn’t work and I can’t understand why.

Is there somebody to explain me why it doesn’t work

serrien · January 10, 2022, 9:52am

I found my problem. My bad, i didn’t read the doc correctly : https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings

NOTE: This field is currently applicable only at gateways. Sidecars will continue to use the certificate paths.

Topic		Replies	Views
mTLS between istio side car and external service Security	1	1149	July 18, 2022
Egress mtls from sidecar directly Security	1	381	July 20, 2022
TLS origination from sidecar proxy instead of the Egress Gateway Security security	0	1049	November 17, 2020
Mutual TLS with External Services Security	1	812	April 29, 2020
Istio pod to pod mTLS Security	3	2736	July 2, 2020

Sidecar configuration for mTLS for accessing external service

Related topics